Beware of in-the-wild 0day attacks exploiting Windows and Flash

(credit: Ann Oro)

Windows users woke up to something that doesn't happen every day: the disclosure of two zero-day vulnerabilities, one in the Microsoft operating system and the other in Adobe's Flash Player.

The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.

Separately, Adobe officials warned that a newly discovered Flash vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild. Adobe said it planned to release an update as soon as Thursday.

Read 2 remaining paragraphs | Comments

FBI paid at least $1.3M for zero-day to get into San Bernardino iPhone

James Comey is the director of the FBI. (credit: Brookings Institute)

FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015.

According to Reuters, Comey was asked Thursday how much the FBI paid for the technique that eventually allowed investigators to access the locked phone.

"A lot. More than I will make in the remainder of this job, which is seven years and four months for sure," Comey said. "But it was, in my view, worth it."

Read 5 remaining paragraphs | Comments